Palo Alto Packet Drop Cheat Sheet
Purpose: Analyzing dropped return packets. Check Drop Counters for Silent Drops Use the CLI to identify silent drops that bypass logging: show counter global filter delta yes | match drop Look for counters like: flow_pkt_status_tcp_timeout_receive: TCP session aged out due to inactivity. flow_aged_out: Session expired (check session timers). flow_deny_tcp_not_syn: Non-SYN packet in a new session (indicates state mismatch). flow_deny_mismatch: NAT/zone/routing mismatch. bp_drop, zone_defense_drop, or ip_fragment_drop: Zone protection or fragment drops. Reference: What is the significance of Global Counters? Packet Flow Sequence in PAN-OS ...